Preparing Symmetric Crypto for the Quantum World Mar a - - PowerPoint PPT Presentation

Preparing Symmetric Crypto for the Quantum World

Mar´ ıa Naya-Plasencia Inria, France ERC project QUASYModo FSE 2019 Paris - March 26 2019

Preliminaries... No quantum knowledge needed for following this talk

Outline

◮

Introduction Motivation, scenarios and evolution

◮

Useful quantum tools

◮

Presentation of some results

• Building new useful quantum tool:

collision and k-xor algorithms

• Some quantum attacks (Simon +)

◮

Final conclusion and Open problems

Motivation

Cryptanalysis: Foundation of Confidence

◮

Ideal security defined by generic attacks (2|K|). Does real security meet this ideal security? Need of continuous security evaluation. Any attack better than the generic one is considered a “break”.

◮

We are often left with an empirical measure

• f the security: cryptanalysis.

1/57

Very Important Notion: Security Margin If no attack is found on a given cipher, what can we say about its robustness? The security of a cipher is not a 1-bit information:

• Round-reduced attacks.
• Analysis of components.

⇒ determine and adapt the security margin.

2/57

Very Important Notion: Security Margin

◮

Best attacks determine the security margin ⇒ Possibly with high complexities: find the highest number of rounds reached.

◮

Allows to compare primitives.

◮

The estimates of security margin need to be precise and correct in order to be meaningful.

3/57

Post-Quantum Cryptography Asymmetric (e.g. RSA): Shor’s algorithm: Factorization in polynomial time ⇒ current systems not secure! Solutions: lattice-based, code-based cryptography... Symmetric (e.g. AES): Grover’s algorithm: Exhaustive search2|K|→2|K|/2 Double key length for equivalent ideal security. Much to learn about cryptanalysis when having quantum computing available.

4/57

Post-Quantum Cryptography Problem for present existing long-term secrets. ⇒ start using quantum-safe primitives NOW. Important tasks:

◮

Conceive the cryptanalysis algorithms for evaluating the security

• f

symmetric primitives in the P-Q world.

◮

Use them to evaluate and design symmetric primitives for the P-Q world.

5/57

On Quantum Attacks

◮

Compare to best generic attack,

◮

generic attack is accelerated, so

◮

broken classical primitive might be unbroken in a quantum setting: e.g. a primitive might not have 256-bits security against a classical adversary but might have 128- bit security against a quantum one.

6/57

Scenarios and Models

Considered Scenarios

◮

Model Q0 classical attacks with classical computers.

◮

Model Q1 Q0 + access to a quantum computer.

◮

Model Q2 Q1 + superposition queries to a quantum cryptographic oracle (QCO).

◮

Model Q3 Q1 + superposition queries with the differences of a secret key in a QCO.

7/57

Model Q0 Nothing new here.

8/57

Model Q1

◮

So far, the best we have obtained is a quadratic speed-up, but it can be smaller:

• If a primitive is safe in Q0,

it will also be in Q1.

◮

Does this mean that (so far) the Q1 scenario/results are not interesting? No!

safe = no attack better than generic attack

9/57

Model Q1 In a post-quantum future:

◮

Classical or quantum surnames will disappear: Expected security given by their best generic attack (e.g. Grover). And security margin? → determined by the highest number of rounds cryptanalyzed with any attack more performant than generic.

◮

Q1 results: important information needed for determining the unique and future security margin.

10/57

Model Q2 Very powerful, BUT... Many good reasons to study security in this scenario:

◮

Simple: used in security proofs.

◮

Non-trivial: Many constructions still seem resistant.

◮

Inclusive

• f

all intermediate scenarios: protocols,

• bfuscation,

hybrid machines, incompetent users...

11/57

Model Q2 Defined and used in many results: [Zhandry12], [Boneh-Zhandry13], [Damg˚ ard- Funder-Nielsen-Salvail13], [Mossayebi-Schack16], [Song-Yun17], Simon’s attacks, FX, AEZ... An attack in this model ⇒ we need to be extra careful when implementing the primitive in a quantum computer.

12/57

Model Q3 Super strong model: Everything is broken [Roetteler-Steinwandt 15] Too strong model!

13/57

Another scenario classification Scenario A) With big quantum memory or Scenario B) quantum memory limited to poly(n) The first one: interesting from a theoretical point

• f view and for considering trade-offs,

The second one: more ”realistic” scenario.

14/57

Evolution

First Results Quantum Symmetric Cryptanalysis:

◮ Quantum analysis of CubeHash [Leurent 10] ◮ Simon on 3-round Feistel [Kuwakado Morii 10] ◮ Simon on Even-Mansour [Kuwakado Morii 12] ◮ Quantum MITM iterated ciphers [Kaplan14] ◮ Quantum Related-Key [Roetteler-Steinwandt15]

15/57

Quantum Symmetric Cryptanalysis

◮

In 2015/2016:

[Kaplan-Leurent-Leverrier-NP16] Simon on modes/slide attacks. [Kaplan-Leurent-Leverrier-NP16b] Diff/linear.

Many new results since:

FX [Leander-May17], parallel multi- preim. [Banegas-Bernstein17], Multicollision [Hosoyamada-Sasaki- Xagawa17], Mitm Q1 [Hosoyamada Sasaki 18], DS Mitm Feistel [Hosoyamada Sasaki 18], Miss-in-the-middle [Xie, Yang 18], Feistel key-recovery [Dong, Wang 18], CCA on Feistel [Ito et al 19]...

16/57

Recent activity from QUASYModo

◮ Efficient Collisions [Chailloux NP Schrottenloher Asiacrypt17], ◮ Quantum cryptanalysis of AEZ [Bonnetain SAC17] ◮ On modular additions [Bonnetain NP Asiacrypt 2018] ◮ k-xor problem [Grassi NP Schrottenloher Asiacrypt2018] ◮ AES quantum evaluation [Bonnetain NP Schrottenloher 18] ◮ On quantum slide attacks [Bonnetain NP Schrottenloher 18] ◮ Quantum security analysis of CSIDH[Bonnetain Schrottenloher18] ◮ Optimal merging the k-xor problem [NP Schrottenloher 19] ◮ Improved low-qubit hidden shift algorithms [Bonnetain 19]

17/57

Some Useful Quantum Tools

Some Quantum Tools... ...that have been useful so far.

◮

Amplitude Amplification (AA) /Grover

◮

Quantum Counting

◮

Quantum Collisions

◮

Simon

◮

Kuperberg

18/57

Amplitude Amplification (Grover’s generalization) Exhaustive search: Given f : {0, 1}n → {0, 1}, find one element x ∈ {0, 1}n such that f(x) = 1.

◮

Classical complexity: Ω(

2n |supp(f)|). ◮

Quantum complexity [Brassard-Hoyer 97]: Ω(

• 2n

|supp(f)|) . In detail, we will see later: O

• 2n

|supp(f)|(sT + fT)

• .

19/57

Quantum Counting Algorithm Distinguish a biased distribution: Given a Bernouilli distribution, determine with high probability whether it has a parameter 1/2 or 1/2 + ε.

◮

Classical complexity: O 1

ε2

• .

◮

Quantum complexity: [Brassard-Hoyer-Tapp 98] O 1

ε

• .

20/57

Quantum Collision Algorithms Collision problem: Given a random function H :{0, 1}n → {0, 1}n, find x, y ∈ {0, 1}n with x = y such that H(x) = H(y).

◮

Classical complexity: Ω(2n/2).

◮

Quantum complexity: [Brassard-Hoyer-Tapp 97] O

• 2n/3

in queries, in time and in quantum memory → scenario A. (Scenario B later)

21/57

Simon’s algorithm Simon’s problem: Given f : {0, 1}n→{0, 1}n such that ∃s | f(x) = f(y) ⇐ ⇒ [x = y or x ⊕ y = s], find s.

◮

Classical complexity: Ω(2n/2).

◮

Quantum complexity [Simon 94]: O (n) .

22/57

Kuperberg’s algorithm Hidden Shift Problem with modular addition: Let f, g be two injective functions, (G, +) a group. Given the promise that there exists s ∈ G such that, for all x, f(x) = g(x + s), retrieve s.

◮

Classical complexity: Ω(2n/2).

◮

Quantum complexity: [Kuperberg 05] 2

O(√n).

23/57

Some new Results New useful Quantum Tools

Some New Useful Quantum Tools

◮

New Quantum Collision Algorithm

◮

Quantum K-xor Algorithms

◮

Multicollisions

◮

Grover-meets-Simon

◮

Simon-meets-Kuperberg

◮

Framework for quantizing classical attacks

◮

Quantumly efficient DDT equivalent

◮

Miss-in-the-middle search

24/57

Collision Search with A. Chailloux, A. Schrottenloher

Collision Search Problem Given a random function H :{0, 1}n → {0, 1}n, find x, y ∈ {0, 1}n with x = y such that H(x) = H(y). Many applications: e.g. generic attacks on hash functions. (Multi-target preimage search can be seen as a particular case).

25/57

Best known algorithms Time Queries Qubits Classical Memory Pollard 2n/2 2n/2 O(n) Grover 2n/2 2n/2 O(n) BHT 22n/3* 2n/3 O(n)* 2n/3 Ambainis 2n/3 2n/3 2n/3

26/57

Considered Model

◮

The same one as in the previous collision quantum algorithms BUT we limit the amout of quantum memory available to a small amount O (n): scenario B instead of A.

◮

Available small quantum computers seem like the most plausible scenario.

◮

We are interested in the theoretical algorithm and we did not take into account yet implementation aspects.

27/57

Starting Point: BHT Algorithm

◮

Optimal number of queries,

◮

O (n) qubits (scenario B),

◮

But time?

28/57

BHT: Summarized procedure

◮ Build a list L of 2n/3 elements (classical memory), ◮ Exhaustive search for finding one element that

collides: With AA, the number of iterations is: ( 2n

2n/3)1/2 = 2n/3. ◮ Testing

the membership with L for the superposition of states costs 2n/3 with n qbits: Time: 2n/3 + 2n/3(1 + 2n/3) ≈ 22n/3

29/57

Can we improve this? Let’s build the list L with distinguished points e.g. H(xi) = 0u||z, for z ∈ {0, 1}n−u. The cost of building the list is bigger: 2n/3+u/2. The setup of AA is bigger: 2u/2 The membership test stays the same: |L| = 2n/3 BUT The number of iterations is smaller: 2n/3−u/2 Time: 2n/3+u/2 + 2n/3−u/2(2u/2 + 2n/3) ≈ 22n/3−u/2 + 2n/3+u/2

30/57

With optimal parameters The cost will be optimized for a certain size of L: 2v = 2n/3. Time: 2v+u/2 + 2

n−v−u 2

(2u/2 + 2v) For v = n/5, u = 2n/5: Time: O

• 22n/5

31/57

Comparison Time Queries Qubits Classical Memory Pollard 2n/2 2n/2 O(n) Grover 2n/2 2n/2 O(n) BHT 22n/3 2n/3 O(n) 2n/3 Ambainis 2n/3 2n/3 2n/3 New algorithm 22n/5 22n/5 O(n) 2n/5

32/57

Example of Applications

◮

Hash functions: Collision and Multi- preimages time from 2n/2 to 22n/5 and 23n/7 (Q1). Ex.- time and queries for n = 128: Pollard rho= 264 vs Ours = 251 with less than 1GB classical.

◮

Multi-user setting.

◮

Operation modes.

◮

Bricks for Cryptanalysis.

33/57

About Parallelization

◮

What about comparison with parallel rho? This algo provides new trade-offs. For comparison, previous example n = 128: Parallel rho= 251 with 213 processors vs Ours = 251 with less than 1GB classical.

◮

When both parallelized: up to 2n/3 processors this algorithm is more time-efficient than parallel rho.

34/57

Conclusion - Collision New efficient collision search algorithm with small quantum memory (nothing scary, new trade-offs): First algorithm with less than 2n/2 computations in scenario B. Many applications in symmetric cryptography. Open question: is it possible to meet the optimal 2n/3 in time with small quantum memory?

35/57

Quantum Efficient Algorithms for the k-xor Problem (and Update) with L. Grassi, A. Schrottenloher

k-xor problem with random functions Given query access to a random function H : {0, 1}n → {0, 1}n, find x1, . . . , xk such that H(x1) ⊕ . . . ⊕ H(xk) = 0. For us, equivalent to the case with k different random functions. Many applications (with k-sum, similar algorithms apply), ex.: attacks on FSB, XLS, SWIFFT; correlation attacks.

36/57

The 3-xor problem Find 3 elements that xor to 0: not much better than collision in classical setting. Classically, no exponential time acceleration, only logarithmic: Complexity of O (2)n/2.

37/57

3-xor: Scenario B Algorithm

◮

1st approach, distinguished point: 2v = 2n/8, T = 23n/8

u n-u u n-u 0...0 0...0 : : 0...0 0...0 : 0...0 0...0

L1 L2 2v

xi

2v

yi

◮

Intuition: With a memory of 2v + 2v we obtain 22v potential collisions.

38/57

3-xor: Scenario B Algorithm

◮

1st approach: 2v = 2n/8, T = 23n/8

◮

2nd approach,techniques linked to ”list merging”:

n-2u-t u u t n-2u-t u u t 0...0 0...0 : : 0...0 0...0 : 0...0 0...0 0...0

L1 L2

0...0 x1 1 y1 0...0 1

2v

0...0 xi i

2v

yi 0...0 i 0...0

Improved time= 25n/14, with 2v = 2n/7.

◮ Exponentially better than collision, contrary to

classical!

39/57

3-xor: Scenario A Algorithm

◮

Same technique as before, but no need for a common prefix of zeroes.

◮

This gives QM= 2n/5 and Time= 23n/10.

40/57

The k-xor algorithms

2 4 6 8 10 12 14 16 18 20 5 · 10−2 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5 0.55 k αk Classical [Wagner 02] Scenario A Scenario B The time complexities are O (2αkn)

41/57

k-xor algorithms: Very Recent results

◮

Related to dissection: partial solutions to subproblems n′ < n, k′ < k and combining them.

◮

When optimal? Not intuitive at all! ⇒ Recursive MILP program for optimality in both scenarios. Can we reach better complexities than

• O
• 2n/(⌊log2(k)⌋+2)

when k is not a power of 2 in scenario A? Can we obtain time complexities better than classical for k ≥ 8 in scenario B?

42/57

New Results: scenario B

5 10 15 20 0.1 0.2 0.3 0.4 0.5 k αk New Classical Previous

The complexities are O (2αkn)

43/57

New Results: scenario A

5 10 15 20 0.1 0.2 0.3 0.4 0.5 k αk New Classical Previous

The complexities are O (2αkn)

44/57

Conclusion - k-xor - Optimal Merging

◮

The quantum 3-xor problem is exponentially easier than the quantum collision problem (in both settings), contrary to classical.

◮

The time for solving the 3-xor problem in scenario A beats the lower bound for quantum collision of 2n/3

◮

For generic k, scenario B improves Wagner for half the values, and scenario A improves for all k (interpolated curve).

45/57

Some Results

• n Quantum Attacks

New Quantum Attacks

◮

Differential/Linear

◮

Simon-based

◮

Kuperberg-based

◮

Slide attacks

◮

DS-MITM And dedicated analysis:

◮

FX and Feistel constructions

◮

Q2 attack on AEZ

◮

Q2 attack on Poly-1305

◮

AES Quantum analysis

46/57

Simon and Kuperberg Attacks with X. Bonnetain, M. Kaplan,

• G. Leurent, A. Leverrier

Simon on Even-Mansour [Kuwakado Morii 12]

◮

[Even-Mansour 97] cipher: DT > 2n

x k1 P k2 Ek1,k2(x)

f(x) = EK(x) ⊕ P(x) → f(x) = f(x ⊕ k1) Simon’s algo on f ⇒ k1 in O(n)

47/57

[Kaplan-Leurent-Leverrier-NP 16] Simon on most authentication modes + slide attacks

◮

For example encrypt-last-block CBC-MAC:

m1 Ek m2 Ek m3 Ek Ek′ τ f : {0, 1} × {0, 1}n → {0, 1}n b, x → CBCMAC(αbx) = Ek′ Ek

• x ⊕ Ek(αb)
• .

CBCMAC(α1x ⊕ Ek(α0) ⊕ Ek(α1)) = Ek′ Ek

• (x ⊕ Ek(α0) ⊕ Ek(α1)) ⊕ Ek(α1)
• = CBCMAC(α0x)

s = 1Ek(α0) ⊕ Ek(α1)

48/57

[Kaplan-Leurent-Leverrier-NP 16] Simon on most authentication modes + slide attacks

◮

For example encrypt-last-block CBC-MAC:

α0/α1 Ek x Ek Ek′ τ f : {0, 1} × {0, 1}n → {0, 1}n b, x → CBCMAC(αbx) = Ek′ Ek

• x ⊕ Ek(αb)
• .

CBCMAC(α1x ⊕ Ek(α0) ⊕ Ek(α1)) = Ek′ Ek

• (x ⊕ Ek(α0) ⊕ Ek(α1)) ⊕ Ek(α1)
• = CBCMAC(α0x)

s = 1Ek(α0) ⊕ Ek(α1)

48/57

Simon and Grover on FX construction The FX construction is a natural construction for extending the key-length n ⇒ 2n.

x k1 Ek0 k2 Ek0,k1,k2(x)

[Leander May 17] Combined Simon with Grover: → broken in O(2n2n/2)

49/57

Tweaking to resist Simon’s algo.?

◮

In [Alagic Russell 17] several proposals. Most efficient: replace xor by modular additions.

◮

Hidden shift problem in Z/(N).

◮

No algorithm in polynomial time: Kuperberg in 2O(√n)

◮

Up to what point do primitives resist?

50/57

Motivation and results [Bonnetain-NP18]

◮

• 4. Dimension symmetric primitives

◮

1. More precise evaluation of Kuperberg’s algorithm complexity+improvement

◮

• 2. What about parallel modular additions?

◮

• 3. New Quantum attacks (Feistel’s slide, FX)

51/57

Improvement and Simulation Our improvement: all the bits with one iteration. O(n22 √

2 log2(3)n) ⇒ O(n2

√

2 log2(3)n)

Our simulations: 0.7 × 21.8√n for recovering full s. Code available: ask Xavier Bonnetain if interested. xavier.bonnetain@inria.fr

52/57

Results - Conclusion

◮

Improved Kuperberg’s algorithm and new algorithm for parallel modular additions.

◮

State size needed for 128-bit security. at least 5200 bits (but for FX) ⇒ not very realistic.

◮

Might be better to just avoid vulnerable constructions, or try different patches.

◮

Recently: concrete security of some Isogeny- based primitives [Bonnetain-Schrottenloher]

53/57

Final Conclusion

General Conclusion (for now) 1/2

◮

No reason to panic, symmetric crypto seems to be holding on well

◮

Bigger internal states?

◮

Ideas from quantum analysis might improve classical analysis

◮

Many things yet to do to precisely evaluate security, to find best attacks, to adjust parameters...

54/57

General Conclusion (for now) 2/2

◮

What about Q2? No consensus: Surprising-scary results vs useless model?

• IMHO: Very strong model but when possible,

better to avoid Q2 attacks: symmetric modus

• perandi works well in part because we are never

too paranoid: (attacks on 2200 declare ciphers broken,...)

◮

At least: information worth knowing. Aristotle?

55/57

Open problems

◮

Propose an efficient AE mode Q2-safe

◮

New quantum attacks: QFT ?

◮

Quantum security evaluation of primitives(LW)

◮

Generic key-length extensions?

◮

Design of primitives with bigger state

◮

Time-memo Trade-offs for k-xor algorithms

◮

Evaluating quantum implementation

• f

algorithms

◮

...

56/57

Quantum-Safe Symmetric Primitives

Lots of things to do !

◮ And what about quantum asymmetric cryptanalysis?? Necessary to evaluate the concrete security of proposed primitives. Possible links between both.

Many thanks to Andr´ e Schrottenloher, Xavier Bonnetain, Anne Canteaut, Gaetan Leurent, Anthony Leverrier...

57/57

ERC QUASYModo https://project.inria.fr/quasymodo/

◮

1 PhD position

◮

1 PostDoc position